INTRUSION PREVENTION SYSTEM(IPS) Name: Anindita Mishra Roll No:137
OUTLINE Introduction Objectives IPS’sDetection methods Classifications IPS vs. IDS IPS vs. Firewall Conclusion References Questions
INTRODUCTIONo Intrusion A set of actions aimed to compromise the Integrity, confidentiality, or availability, of a computing and networking resource.o Intrusion prevention systems (IPS) Also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network and system activities for malicious or harmful activity.
OBJECTIVESo The main objectives of intrusion prevention systems are: Identification of malicious activity Log information about said activity Attempt to block/stop harmful activity Report malevolent activity.
IPS’S DETECTION METHODS Themajority of intrusion prevention systems utilize one of two detection methods: Signature-based Detection This method of detection utilizes signatures of attack patterns that are preconfigured and predetermined. A signature-based intrusion prevention system monitors the network traffic for matches to these signatures. Once a match is found the intrusion prevention system takes the appropriate action.
CONTINUE... Statistical anomaly-based or Knowledge-based Detection A statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other . It alert the administrator or user and prevent malicious contents when anomalous(not normal) traffic is detected .
CLASSIFICATIONS Intrusion prevention systems can be classified into four different types:o Network-based intrusion prevention system (NIPS): monitors the entire network for suspicious traffic by analyzing protocol activity. In a NIPS, sensors are located at network borders of the network. Sensors capture all network traffic and analyzes the content of individual packets for malicious traffic and prevents them. Example: Snort (Snort is a free and open source network intrusion prevention system (NIPS) created by Martin Roesch in 1998.Snort is now developed by Sourcefire.)
CONTINUE… Host-based intrusion prevention system (HIPS): Itis an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host. Example: OSSEC ( OSSEC is a free, open source host- based intrusion Prevention system (IDS). It provides intrusion Prevention for most operating systems, including Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows OS.) Wireless intrusion prevention systems (WIPS): monitors a wireless network for suspicious traffic by analyzing wireless networking protocols. Network behavior analysis (NBA): Examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware and policy violations.
HOW IDS WORKS ? IDS works with a copy of the traffic. It can detect an attack and send an alert (and take other actions), but it cannot prevent the attack because it does not operate on traffic inline in the forwarding path.
HOW IPS WORKS ? IPS device operates in inline mode i.e. because the IPS device is in the actual traffic path. This makes the device more effective against worms and atomic attacks (attacks that are carried out by a single packet).
IPS VS. IDS IDS typically record information related to observed malicious events, notify security administrators of important observed events, and produce reports. IPS is considered an extension of intrusion detection system because they both monitor network traffic and system activities for malicious activity. But unlike intrusion detection systems, intrusion prevention systems are able to actively prevent/block intrusions that are detected.
IPS VS. FIREWALL IPS monitors the system for unwanted entry and reports or alerts the same to the user and prevents the connection . A firewall monitors the system based on the rules that are set by the user and regulates the activity between the system and the Internet. Therefore, to protect the system from unwanted intrusions, it is always recommended to use firewalls in conjunction with Intrusion Prevention Systems (IPS). This is also why the majority of internet security systems comes with both firewall and IPS.
CONCLUSIONS Intrusion detection systems constantly monitor a given computer network for invasion or abnormal activity. Intrusion detection systems are highly customizable to accommodate specific client needs. This allows users to custom-build network security to monitor highly-individualized activity. IPS is used as Inline mode protection for securing internal network. Cisco 4200 series IDS and IPS sensors offer rich set of features for ISD and IPS